We reported on Oct 6th that there was a vulnerability in MyBB 1.6.4 and advised on how to fix it on our blog.
If you are running a 1.6.4 forum, it's urgent that you apply this fix as quickly as possible. Visit our blog for instructions.
Checking for other security issues
If you haven't applied the fix yet, or you have been hacked recently, it's a good idea to check other areas to see if a malicious hacker has left back doors into your system. There are various methods to check for these.
If your forum has been hacked, then please start a new thread as each user may have different scenarios. Before starting a new thread, remember to search (for example, if you see error messages) to see if other users are having the same problems as you and methods to fix them.
If you think you've found a vulnerability in MyBB then please report it by Contacting Us with a security related message. Please only do this if you have a proof of concept - the ability to reproduce the vulnerability with a set of instructions.
If you are running a 1.6.4 forum, it's urgent that you apply this fix as quickly as possible. Visit our blog for instructions.
Checking for other security issues
If you haven't applied the fix yet, or you have been hacked recently, it's a good idea to check other areas to see if a malicious hacker has left back doors into your system. There are various methods to check for these.
- Login to your ACP and go to Tools & Maintenance -> File Verification (on the left)
- This will check core MyBB files to see if they have been edited
- If a file is listed as being changed, and you haven't edited it, download the latest version of MyBB and replace these files
- Take extra precaution if you have installed plugins that alter core files, such as Google SEO
- This will check core MyBB files to see if they have been edited
- In the ACP, visit the Tools & Maintenance area and click on the 'Check Templates' tab
- This will check your templates for any security issues that may reveal your database information
- This will check your templates for any security issues that may reveal your database information
- Run a folder comparison using difference software
- Please note that if you have a large forum, or use your forum's root folders for other purposes, this may take a while and use with caution
- Download your forum's folders and files to your local computer
- Download the latest version of MyBB from our website
- Using software such as SourceGear's DiffMerge, you can compare folders - see the specific instructions for your software on how to do this
- This process will compare the files from your forum to the official release - if there are any extra files, it will detect them and notify you (note, it will also detect custom images and uploads)
- Check each different file to see if you have added it - if you have no idea what it is and it doesn't appear to be important, best to remove it from your server (keep a backup of it however, and if it appears in the uploads folder take extra precaution
- If in doubt, ask us
- This process will compare the files from your forum to the official release - if there are any extra files, it will detect them and notify you (note, it will also detect custom images and uploads)
- Please note that if you have a large forum, or use your forum's root folders for other purposes, this may take a while and use with caution
If your forum has been hacked, then please start a new thread as each user may have different scenarios. Before starting a new thread, remember to search (for example, if you see error messages) to see if other users are having the same problems as you and methods to fix them.
If you think you've found a vulnerability in MyBB then please report it by Contacting Us with a security related message. Please only do this if you have a proof of concept - the ability to reproduce the vulnerability with a set of instructions.